VMware vSphere

 View Only
  • 1.  Permissions on Folders

    Posted Nov 12, 2024 07:35 AM

    Hello,

    currently we have too many Users with high privileges and i want to reduce this number. Most of our Users just dont need  more then creating snapshots on a subset of our servers.

    Our folders for servers are structured by status and types. So some of them like domaincontrollers, exchangeservers etc. should excluded from access by standard users.

    So my question is about granting folder permissions using VCenter 7. Is it possible to grant global read-only permissions to an AD-group which changes down in folderstructure to a role with higher permissions? So these people should see everything, but should be allowed to administer just a subset of servers.
    What is your experience relating to managing userprivileges in a secure way?

    Thank you,
    Hans



  • 2.  RE: Permissions on Folders

    Posted Nov 13, 2024 07:44 AM

    Child permissions should to take precedence so that should work but I would recommend against a global Read-Only group.  The preferred method would be to create a group for each area (if it doesn't already exist) and assign permissions and roles there.  Perhaps even re-arrange your VM folders by department to make assigning permissions to their VM's eaiser, just assign to the folder.

    You may even want to define a role for each department if their necessary VM operations vary or may vary in the future. 

    I'm not sure if this will work in your environment, but was thinking of something like this:

    Department_A - Read-Only at the root -- VM User Role at Dept_A VM's

    Department_B - Read-Only at the root -- VM User + Snapshot Role at Dept_B VM's

    Department_C - Read-Only at the root -- VM User + Snapshot + PowerOff Role at Dept_C VM's




  • 3.  RE: Permissions on Folders

    Posted Nov 26, 2024 06:08 AM

    Hello Kent,

    thank you for your answer. I think i will follow this during realization.

    Thanks,
    Hans